NATing (well, PATing) Specific Address Ranges on a Fortigate

It’s a simple little thing I struggled to find any real documentation on but can entirely be done on Fortigate firewalls. The challenge was simple – take a network of made of globally routable IPv4 addresses and private address space, hold it behind and perimeter firewall and can we selectively NAT/PAT traffic from the private address space.

The trick involves firewall rules. You start by creating an address pool you will be translating and overloading in to. For my tests I simply selected a single IP address for each range I’d be NATing.

Now you need to create a new rule (or policy in the Fortinet world) running from your internal to your external zone. I’m assuming a rather simplified network arrangement – adjust as required.

Set the source address as the private range you want to translate and overload for. The destination address and service will likely be “Any”. Turn NAT on (toward the bottom of the page) and select “Use Dynamic IP Pool”. Select the address pool we created earlier.

Now save the rule and your NAT/PAT should be working. As a further step, I’d highly recommend you have an inbound rule in place dropping traffic from sources that matches your private address space. You could even go a stage further and look into Bogon block lists should your ISP not offer such a service.